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PREFACE 


This  Note  reviews  the  concept  of  design  basis  acaiden'ts — an  arti¬ 
ficial  boundary  separating  those  accidents  which  are  considered  In  the 
licensing  process  from  those  which  currently  are  not — and  discusses 
how  the  concept  enters  Into  light  water  reactor  (LWR)  and  liquid  metal 
fast  breeder  reactor  (LMFBR)  design.  It  also  re-examines  the  Impact 
of  the  accident  at  Three  Mile  Island  on  the  design  basis  concept,  and 
how  It  might  affect  licensing  for  LWRs  and  LMFBRs. 

This  document,  supported  under  U.S.  Department  of  Energy  contract 
AS03-78ET-37300,  Is  one  In  a  series  of  studies  assessing  nuclear  safety 
Issues.  It  should  be  of  Interest  to  those  who  design  nuclear  safety 
systems,  who  regulate  nuclear  safety,  and  who  finance  safety  research. 

Already  published  In  the  nuclear  safety  series  Is  Rand  Note  N-1188- 
DOE,  Anticipated  Transients  Without  SCRAM  for  Light  Water  Reactors : 
Implications  for  Liquid  Metal  Fast  Breeder  Reactors ,  by  W.  E.  Kastenberg 
and  K.  A.  Solomon,  July  1979. 
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SUMMARY 


The  1979  accident  at  the  Three  Mile  Island-Unit  2  (TMI-2)  nuclear 
generating  plant  prompted  numerous  studies  identifying  relevant  safety 
issues  and  recommending  both  short  term  and  long  term  fixes  to  improve 
the  general  safety  of  the  light  water  reactor  (LWR) .  One  of  the  major 
safety  issues  which  has  evolved  from  the  Action  Plan  of  the  Nuclear 
Regulatory  Commission’s  (NRC)  Task  Force  investigations  concerns  the 
use  of  the  design  basis  accident  CDBA)  in  the  licensing  process.  The 
DBA  is  an  artificial  "boundary"  separating  those  "credible"  accidents 
which  are  considered  in  the  licensing  process  from  those  "incredible" 
ones  which  are  not. 

While  these  recommendations  focus  on  current  light  water  reactors, 
they  will  also  affect  design  and  operation  of  the  liquid  metal  fast 
breeder  reactor  (LMFBR) .  This  Note  assesses  the  Impact  of  the  TMI-2 
accident  on  the  LMFBR.  Specifically,  it: 

o  Reviews  the  DBA  concept  and  its  use  in  the  licensing  process. 

o  Assesses  the  impact  of  the  TMI-2  accident  on  the  DBA  concept 
in  general  and  the  LMFBR  licensing  process  in  particular. 

o  Considers  how  the  concept  of  risk  can  be  used  in  setting  the 
DBA  criteria. 

o  Discusses  key  implications  of  the  TMI— 2  accident  on  other 
issues  in  addition  to  the  DBA  concept. 

There  will  be  many  significant  similarites  in  the  licensing  ap¬ 
proach  for  LWRs  and  LMFBRs;  specifically,  the  range  of  accident  ini¬ 
tiating  events  considered,  and  their  frequency  of  occurrence  will  be 
similar,  I  suggest  that  many  of  the  changes  required  by  the  NRC  Action 
Plan  will  apply  directly  or  indirectly  to  the  LMFBR. 

Further,  the  TMI-2  accident  may  have  a  significant  impact  not  only 
on  the  design  of  the  future  LWR  Safety  Program — but  equally  important — 
on  the  design  of  the  future  LMFBR  Safety  Program.  Currently,  the 
safety  emphasis  in  both  programs  is  on  reducing  the  magnitude  of  very 
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high  consequence,  very  low  probability  accidents.  However,  one  of  the 
major  lessons  of  TMl  is  that  more  attention  needs  to  be  focused  on 
higher  probability  (or  even  anticipated)  events  which  could  potentially 
propagate  to  large  consequences,  either  through  design  failures  or  op¬ 
erator  errors.  Future  considerations  for  both  LWR  and  LMFBR  risk  re¬ 
duction  will  include  emphasis  on  these  more  likely  events,  in  addition 
to  "beyond  the  current  design  basis  events."  Recommendations  include: 

1.  DOE  should  become  actively  involved  with  the  NRC,  which  is 
actively  pursuing  the  possibility  of  developing  quantitative 
risk  criteria  for  LWRs. 

2.  The  several  key  factors  addressed  by  the  NRC  Staff  Action 
Plan  must  be  resolved,  including  siting,  degraded  core  acci¬ 
dents,  reliability  engineering,  and  safety  vs.  non-safety 
systems. 

3.  More  detailed  analysis  of  a  wider  range  of  complex  transients 
is  likely  to  become  a  future  licensing  requirement.  This 
will  affect  operator  training,  emergency  preparedness,  and 
other  activities. 

4.  A  design  basis  for  the  LMFBR  should  be  adopted  based  on  quan¬ 
tifiable  risk  criteria  analogous  to,  but  not  necessarily  the 
same  as,  those  for  LWRs. 
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GLOSSARY  OF  TERMS 


The  Applicant  is  usually  the  reactor  plant  owner 
and  is  the  designated  license  holder  under  NRC  rules. 

Cove  disruptive  aeoident-n e.f&rs  to  a  reactor 
accident  where  at  least  part  of  the  core  integrity 
and  core  coolable  geometry  are  lost. 

Clinch  River  Breeder  Reactor 

Design  Basis  Aocident-axi  artificial  boundary 
separating  those  accidents  which  are  considered 
in  the  licensing  process  from  those  which  are  not. 

Environmental  Protection  Agency 

Fast  Flux  Test  Faoility-a  testing  facility  modelled 
after  an  LMFBR  core.  It  is  constructed  on  Federal 
land. 

Loss  of  Coolant  Aacident-vefers  to  a  reactor  ac¬ 
cident  where  the  ability  to  cool  the  core  is  lost 
due  to  a  break  in  the  primary  loop. 

Loss  of  F’Z-otJ—refers  to  a  reactor  accident  where 
the  ability  to  cool  the  core  is  either  Impeded  or 
fully  lost  due  to  reduced  or  fully  Inoperable 
pumping  power. 

Light  Water  Reactor 

Liquid  Metal  Cooled  Fast  Breeder  Reactor 

Roentgen  Equivalent  Man  or  Rad  Equivalent  Man- 
refers  to  a  measure  of  radiation  in  units  of 
energy  per  unit  mass. 

The  probability  of  an  event  (often  an  accident) 
times  its  consequence. 

Safety  Analysis  Report  (or  Preliminary  or  Final 
Safety  Analysis  Report) . 

The  act  (or  ability)  of  (to)  shut  down  the  reactor 
and  remove  decay  heat. 

Safety  Evaluation  Report 

Refers  to  the  NRC  staff. 
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I .  INTRODUCTION 


The  assurance  of  safe  nuclear  energy  receives  increasing  public 
attention.  Most  recently,  this  attention  was  focused  on  the  March 
1979  accident  at  the  Three  Mile  Island-Unit  2  (TMI-2)  nuclear  generat¬ 
ing  plant. 

What  is  the  impact  of  the  TMI-2  accident  on  the  safety,  licensing, 
and  development  of  nuclear  energy?  Although  concerned  primarily  with 
the  current  generation  of  light  water  reactors  (LWRs) ,  ultimately  this 
question  must  include  the  liquid  metal  fast  breeder  reactor  (LMFBR)  as 
well.  In  response  to  this  longer  term  focus,  Kastenberg  and  Solomon 
[1],  in  an  earlier  piece,  assessed  the  potential  impact  of  the  proposed 
LWR-Anticipated  Transient  Without  SCRAM  (ATWS)  criteria  {2]  on  the 
LMFBR  safety  programs  as  represented  by  the  Clinch  River  Breeder  Reac¬ 
tor  plant  (CRBRP).  In  the  present  Note,  I  consider  another  question: 

How  does  the  TMI-2  accident  affect  the  design  basis  accident  criteria 
for  LMFBRs? 

BACKGROUND 

The  basic  regulations  governing  nuclear  power  plant  licensing  in 
the  United  States  are  described  in  Title  10,  Code  of  Federal  Regulatlons- 
Energy  [3].  As  new  issues  arise,  the  Nuclear  Regulatory  Commission 
(NRC)  can  establish  rules  as  a  basis  for  regulation,  which  become  part 
of  the  code  and  which  provide  policy  and  technical  guidance  for  licens¬ 
ing.  The  NRC  staff  can  issue  Regulatory  Guides  describing  methods 
acceptable  for  implementing  specific  parts  of  the  Commission's  regula¬ 
tions.  In  addition  to  these  documents,  the  Standard  Review  Plan  [4] 
sets  forth  Internal  review  procedures  followed  by  the  NRC  staff  in 
evaluating  documents  and  other  information  submitted  for  licensing 
review. 

*An  anticipated  transient  without  scram  is  defined  as  the  failure 
of  the  plant  protection  system  (shutdown  or  scram  system)  following  the 
initiation  of  a  Category  A  event.  Category  A  events  have  a  frequency 
of  several  times  per  year. 
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Although  there  are  several  steps  in  the  licensing  process,  two  of 
the  more  important  ones  are  (1)  the  Applicant's  submittal  of  the  Pre¬ 
liminary  Safety  Analysis  Report  (PSAR)  and  the  Final  Safety  Analysis 
Report  (FSAR)  and  (2)  the  NRC's  submittal  of  the  Environmental  Impact 
Statement  (EIR)  and  the  Safety  Evaluation  Report  (SER) . 

The  intent  of  the  PSAR  is  to  demonstrate  that  the  design  and  con¬ 
struction  will  comply  with  regulations.  Successful  review  of  the  PSAR 
usually  leads  to  a  construction  license.  The  PSAR,  along  with  support¬ 
ing  documentation,  a  set  of  technical  specifications,  a  preoperational 
test  program  and  a  qualifications  program  for  operating  personnel  is 
required  before  issuance  of  an  operating  license  which  will  allow  the 
Applicant  to  load  full  power.  The  technical  specifications  denote  the 
manner  in  which  the  plant  will  operate. 

Concurrent  with  the  safety  review,  the  NRC  is  required  by  the  Na¬ 
tional  Environmental  Protection  Act  (NEPA)  to  consider  environmental 
issues  associated  with  a  given  license  application  review.  The  evalua¬ 
tion  of  NEPA  requirements  is  usually  contained  in  an  Environmental  Im¬ 
pact  Report  (EIR)  which  is  published  by  the  NRC  staff  along  with  a 
Safety  Evaluation  Report  (SER).  In  these  two  reports — the  EIR  and  the 
SER — the  major  safety  and  environmental  issues  relating  to  a  particular 
license  application  are  addressed. 

BASIS  FOR  CURRENT  STUDY 

As  a  result  of  the  recent  accident  at  the  Three  Mile  Island-Unit  2 
(TMI-2)  nuclear  generating  plant,  several  groups  have  made  recommenda¬ 
tions  on  how  nuclear  power  plants  should  be  licensed,  sited,  regulated, 
and  operated.  The  groups  have  Included  the  President's  Commission  [6], 
the  Nuclear  Regulatory  Commission's  Special  Inquiry  Group  17],  the  NRC 
staff's  Short  Term  Lessons  Learned  Task  Force  [8],  and  the  NRC  staff's 

The  Applicant  is  usually  the  plant  owner  and  is  the  designated 
license  holder  under  NRC  rules.  The  Applicant  is  usually  assisted  in 
the  preparation  of  the  PSAR  and  FSAR  by  the  Nuclear  Steam  Supply  System 
(NSSS)  vendor  who  supplies  the  reactor,  the  architect-engineer  (A-E) 
who  designs  the  power  plant,  and  other  consultants,  A  review  of  their 
functions  can  be  found  in  Reference  [5]. 
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Long  Term  Lessons  Learned  Task  Force  I9J.  One  of  the  major  safety 
issues  emerging  from  the  NRG  Task  Force  investigations  concerns  the 
use  of  design  basis  accidents  in  the  licensing  process.  As  will  be 
discussed  in  Section  II,  the  design  basis  is  an  artificial  "boundary" 
which  specifies  which  accidents  shall  be  considered  and  which  shall 
not  in  the  review  of  license  applications  and  hence  safety  for  a  given 
plant.  This  issue  arises  because  some  of  the  events  occurring  at 
TMI-2  exceeded  the  design  basis  upon  which  the  plant  was  licensed. 

The  recent  safety  review  for  the  proposed  Clinch  River  Breeder 
Reactor  (CRBR) ,  intended  to  be  the  nation's  first  fully  licensed  LMFBR, 
was  patterned  after  the  safety  review  for  LWRs.  As  discussed  in  Sec¬ 
tion  IV,  a  major  issue  in  the  safety  review  for  CRBR  was  the  definition 
of  the  design  basis  and  the  inclusion  of  events  beyond  the  design  basis 
in  the  review  process.  Hence,  any  new  consideration  of  the  design 
basis  for  LWR  licensing  and  safety  will  naturally  have  implications 
for  LMFBRs. 

SCOPE  OF  PRESENT  WORK 

This  Note  begins  by  reviewing  the  concept  of  the  design  basis, 
design  basis  accidents,  and  risks  (Section  II).  I  then  show  how  the 
current  design  basis  issue  arises  from  the  accident  at  Three  Mile  Is¬ 
land  and  review  the  potential  changes  in  regulatory  requirements  that 
may  result  (Section  III).  The  safety  and  licensing  issues  for  LMFBRs 
are  also  reviewed  within  the  context  of  this  experience  and  designs 
for  future  generation  (i.e.,  commercial-sized)  LMFBRs  (Section  IV). 

I  show  how  risk  considerations  can  be  employed  to  resolve  these  Issues 
(Section  V)  and  how  safety  criteria  for  LMFBRs  may  be  determined.  Since 
design  basis  accidents  are  not  the  only  issues  affected  by  the  Three 
Mile  Island  accident.  Section  VI  presents  a  short  discussion  of  some 
of  the  Other  key  considerations  arising  from  it.  Finally,  I  draw  some 
conclusions  and  offer  recommendations  for  further  work  (Section  VII) . 

In  the  Appendix,  I  expand  the  discussion  of  moderate,  small,  and  un¬ 
likely  events  as  applied  to  both  LWRs  and  LMFBRs. 
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II,  THE  DESIGN  BASIS  CONCEPT 


In  this  section  I  review  the  concept  of  the  design  basis  and  the 
use  of  the  design  basis  accident  (DBA)  in  the  regulatory  review  of 
light  water  reactors  (LWRs) .  In  addition,  I  consider  how  the  concept 
of  risk  enters  into  the  licensing  process  through  the  design  basis 
concept. 

DESIGN  BASIS  ACCIDENTS 

During  the  licensing  review  of  an  LWR,  the  Applicant  is  required 
to  analyze  the  course  of  certain  accidents  and  their  potential  conse¬ 
quences.  These  accidents  generally  fall  into  three  loosely  defined 
categories: 

a)  likely  events, 

b)  unlikely  events,  and 

c)  extremely  unlikely  events. 

Likely  aaoidents  are  those  which  are  expected  to  occur  often  enough 
(up  to  several  times  per  year)  that  the  intrinsic  design  of  the  plant 
can  cope  with  them.  An  example  is  a  turbine  trip,  for  which  the  plant 
protection  system  and  residual  heat  removal  system  are  activated,  bring¬ 
ing  the  plant  to  a  safe  shutdown.  Untikely  and  extremely  unlikely 
events  are  expected  to  occur  with  sufficiently  small  probability  such 
that  the  inherent  features  of  the  plant  may  not  cope  with  them.  How¬ 
ever,  because  of  their  potential  risk  to  the  health  and  safety  of  the 
public,  engineered  safety  features  are  installed  to  mitigate  against 
their  effects.  For  example,  an  emergency  core  cooling  system  (ECCS) 
is  provided  in  LWRs  to  protect  against  the  consequences  of  a  loss-of- 
coolant  accident  (LOCA) .  Title  10  of  the  Code  of  Federal  Regulations, 
Part  50  (10  CFR  50),  paragraphs  50.46  and  Appendix  K,  specify  the  re¬ 
quirements  for  the  design  of  such  an  ECCS.  A  LOCA,  such  as  a  double 
ended  guillotine  pipe  rupture,  is  considered  a  design  basis  accident, 
and  paragraphs  50.46  along  with  Appendix  K  specify  the  design  basis 
upon  which  the  applicant  designs  the  ECCS. 
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Of  interest  also  are  (1)  accidents  that  lie  beyond  the  design 
basis  and  (2)  the  concept  of  "defense  in  depth."  For  example,  in  the 
Reactor  Safety  Study  (WASH  1400),  accidents  for  which  the  ECCS  is  tn- 
aperabte  were  analyzed  in  terms  of  public  risk.  Because  of  the  high 
reliability  and  redundancy  assumed  for  the  ECCS,  however,  such  acci¬ 
dents  are  considered  to  lie  beyond  the  design  basis;  thus  they  ore  not 
in  the  licensing  review.  To  provide  conservatism  into  the  design  of 
LWRs,  the  concept  of  "defense  in  depth"  has  been  employed.  Multiple 
barriers  (or  mitigating  devices)  are  used  in  the  event  of  fission  pro¬ 
duct  release  from  the  fuel.  Such  barriers  include  fuel  clad,  the 
reactor  vessel,  and  the  reactor  containment  with  mitigating  systems 
such  as  the  containment  spray  system,  hydrogen  recombiners,  and  pres¬ 
sure  relief  values.  Each  barrier  and/or  system  is  designed  to  some 
design  basis. 

During  the  recent  accident  at  the  Three  Mile  Island — Unit  2  Gen¬ 
erating  Plant,  the  ECCS  operation  was  terminated  by  operator  error 
several  times  during  the  initial  phases.  This  led  to  an  uncovering  of 
the  core  with  subsequent  fission  product  and  hydrogen  release.  This 
degradation  of  ECCS  performance,  by  human  or  other  (mechanical  or 
electrical)  means,  was  outside  the  design  basis.  Because  of  the  de¬ 
fense  in  depth  concept,  however,  the  reactor  containment  was  success¬ 
ful  in  performing  its  function,  i.e.,  mitigating  the  consequences  of 
ECCS  partial  failure.  The  apparent  burning  of  hydrogen  in  the  contain¬ 
ment  produced  a  pressure  of  28  pslg  for  about  10  minutes,  well  within 
the  58  psig  design  basis.  Fission  product  release  was  due,  in  part, 
to  the  failure  to  isolate  containment  when  the  sump  pumps  transferred 
primary  coolant  water  to  the  auxiliary  building. 

The  Nuclear  Regulatory  Commission’s  decision  to  exclude  certain 
accidents  from  the  design  basis  is  predicated,  in  part,  on  their  an¬ 
ticipated  low  probability  of  occurrence.  Hence,  a  judgmental  approach, 
in  terms  of  risk,  has  been  utilized  by  the  NRC  in  setting  the  require¬ 
ments  for  obtaining  a  license  for  a  nuclear  power  plant. 
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THE  CONCEPT  OF  RISK  AKD  THE  DESIGN  BASIS 

Qualitatively,  the  concept  of  risk  is  used  to  describe  the 
negative  impacts  of  technology  on  society.  These  negative  Impacts 
may  arise  due  to  normal  (routine)  operation  of  the  technology  (e.g., 
health  hazards  resulting  from  the  use  of  fossil  fuels)  or  during  off- 
normal  (accident)  conditions  (e.g.,  release  of  radioactive  gas  during 
a  nuclear  reactor  accident).  The  quantitative  determination  of  ac¬ 
cidental  risk  requires  a  knowledge  of  both  the  frequency  (probability 
per  unit  time)  and  the  consequences  of  undesirable  events. 

Because  severe  nuclear  reactor  accidents  may  occur  with  very 
small  frequencies,  few,  if  any,  actuarial  data  exist.  Rather,  quanti¬ 
tative  measures  of  risk  are  based  upon  models  and  calculation,  and 
there  exist  large  uncertainties  in  risk  estimates.  However,  the  method¬ 
ologies  employed  in  risk  assessment  are  particularly  useful  in  evaluat¬ 
ing  the  contribution  to  risk  of  potential  accidents. 

In  setting  the  design  basis,  for  exanple,  some  aspects  of 
risk  consideration  have  been  employed.  With  respect  to  risk,  the 
design  basis  can  be  interpreted  as  excluding  accidents  with  fre¬ 
quencies  based  on  [2J : 

"an  overatt  safety  objective  of  10  per  year  and  an 

_7 

objective  for  individual  events  of  10  per  year.  " 

It  is  of  Interest  to  compare  this  frequency  with  frequencies 
given  in  the  1978  NRC  publication  NUREG-0438  [10]  for  different 
classifications  of  accidents,  and  the  frequency  of  core  melts  given 
in  WASH-1400,  the  Reactor  Safety  Study  [11].  In  NUREG-0438  fre¬ 
quencies  are  given  as: 

A.  Events  of  moderate  frequency  Several  times/year 

B.  Events  of  small  probability  1/10  to  1/100  per  year 

C.  Highly  unlikely  accidents  1/1000  to  1/10,000  per  year 

-4 

yielding  a  potential  limit  for  the  design  basis  of  10  /yr. 
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In  WASH-1400,  the  frequency  of  the  dominant  risk  contributor 
(core  melt)  in  the  plants  studied  was  estimated  to  be  5x10  per  re¬ 
actor  year  (with  only  about  2%  of  these  core  melt  events  resulting 
in  early  fatalities) .  Core  melt  has  usually  been  considered  to  be 
beyond  the  design  basis  in  the  regulatory  process.  Hence,  one  might 

interpret  the  design  basis  for  an  LWR,  in  terms  of  frequency,  as  lying 

—4  —6  —6 

between  10  and  10  per  year,  with  10  from  the  Standard  Review 
Plan  [4], 

In  terms  of  consequence,  the  design  basis  is  set  in  Title  10,  Part 
100  of  the  Code  of  Federal  Regulations  (10  CFR  100),  which  specifies 
the  allowable  dose  limits  to  which  the  design  basis  must  conform  (i.e., 
sets  the  design  on  engineered  safety  features  intended  to  mitigate 

against  design  basis  accidents).  From  the  above  discussion  we  see  that 

—6  “7 

accidents  with  frequencies  less  than  10  per  year  (10  per  source  14]) 

are  excluded,  regardless  of  their  consequences.  Accidents  that  occur 

—6 

with  frequencies  greater  than  10  per  year  must  have  mitigating  system 
(ESFs)  that  yield  consequences  below  the  10  CFR  100  limits. 

An  expanded  discussion  of  these  frequencies  and  example  consequences, 
as  well  as  a  further  description  of  design  basis  accidents,  are  given  in 
the  Appendix. 


At  the  present  10  CFR  100  specifies  that  a  person  at  the  fence 
post  will  not  receive  a  whole  body  dose  greater  than  25  rem  and  a 
thyroid  dose  greater  than  300  rem  as  a  result  of  a  design  basis  acci¬ 
dent  [11]. 
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III.  THE  DESIGN  BASIS  ISSUE  RAISED  BY  TMI 


As  a  result  of  the  accident  at  the  Three  Mile  Island-Unit  2 
(TMI-2),  a  number  of  Issues  relating  to  LWR  safety  have  been  raised. 

Of  interest  here  are  those  issues  relating  to  design  basis  accidents. 
The  NRC  staff,  in  both  its  initial  study  [8]  and  its  final  report  [9] 
on  TMI-2  lessons  learned,  discuss  the  potential  Inclusions  of  "beyond 
the  design  basis"  accidents.  Discussion  of  the  consideration  of  be¬ 
yond  design  basis  accidents  stems  primarily  from  the  generation  of 

* 

hydrogen  during  those  periods  when  the  TMI-2  core  was  uncovered. 

Hydrogen  can  be  produced  during  an.  LWR-LOCA  by  metal  water  reac¬ 
tions,  radiolysis,  and  corrosion.  At  TMI-2,  approximately  40/^  of  the 
clad  material  reacted  with  water  to  produce  hydrogen  in  the  vessel  and 
subsequently  the  containment  bxiilding  [13].  The  design  basis  for  com¬ 
bustible  gas  control  is  given  in  10  CFR  50.44,  and  Regulatory  Guide 
1. 7  -  Revision  2  describes  methods  acceptable  for  implementation. 

These  methods  are  based  on  an  assumed  clad/water  reaction  which  is  be¬ 
tween  1  and  5%,  depending  upon  the  accidents  considered.  In  the  case 
of  TMI-2,  the  design  basis  was  clearly  exceeded. 

In  the  short-term  lesson  learned  report  [8],  the  NRC  staff  rec¬ 
ommendations  regarding  post-accident  hydrogen  control  systems  for 
LWR  containment  were: 

1.  Provide  penetrations  for  external  recombiners  or 
post-accident  external  purge  system, 

2.  Require  inerting  BWR  containments,  and 

3.  Provide  capability  for  Install  hydrogen  recombiners  at 
each  LWR. 


When  the  water  level  in  the  reactor  was  below  the  top  of  the 
fuel  elements. 
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In  the  final  report  on  lessons  learned  [9] ,  the  NRC  staff  rec¬ 
ommends  that  "the  [NRC]  Commission  issue  within  three  months  a  no¬ 
tice  of  intent  to  conduct  rule  making  to  solicit  comments  on  the 
issues  and  facts  relating  to  the  consideration  of  design  features  to 
mitigate  accidents  that  would  result  in  (a)  core-melt  and  (b)  severe 
core  damage,  but  not  substantial  melting."  Provisions  to  cope  with 
hydrogen  generation  and  the  consideration  of  the  use  of  vent-filtered 
containment  would  be  part  of  the  rule-making  process. 

The  rationale  for  the  rule-making  can  be  paraphrased  from  the 
Staff  report  as  follows  [9].  Accidents  that  result  in  substantial 
melting  of  the  core  are  the  most  significant — in  terms  of  public 
risk — of  the  events  not  included  in  the  design  basis.  Even  though 
they  should  have  a  lower  frequency  (less  than  10  /yr)  than  design 
basis  accidents,  their  consequences  make  them  risk  significant.  From 
the  accident  sequence  point  of  view,  it  is  the  potential  failure  of 
containment  which  yields  this  high  risk.  Hence,  prevention  of  con¬ 
tainment  failure,  such  as  the  case  with  the  vent-filtered  containment, 
should  reduce  significantly  the  consequences  of  core  melt. 

The  recommendations  of  the  Staff  represent  a  potential  shift  in 
the  licensing  process  toward  the  inclusion  of  events  beyond  the  design 
basis.  While  it  is  not  clear  that  rules  will  be  adopted  that  require 
the  consideration  of  core  melt  (or  degraded  cores)  in  the  licensing 
process,  the  recommendations  do  have  a  significant  effect  on  future 
licensing  reviews  of  LMFBRs.  In  particular,  potential  high  consequence, 
low  frequency  events  could  become  part  of  the  design  basis.  Alterna¬ 
tively,  mitigation  features  may  be  required,  without  these  events  being 
made  design  basis  accidents. 
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IV.  LICENSING  AND  SAFETY  OF  LMFBRs 


The  recent  experience  with  licensing  an  LMFBR  has  been  limited  to 
the  Fast  Flux  Test  Facility  (FFTF)  in  Washington  state  and  the  Clinch 
River  Breeder  Reactor  (CRBR)  in  Tennessee.  FFTF  is  unique  because  it 
is  a  test  facility  constructed  on  federal  land  and  as  such  is  not  re¬ 
quired  to  undergo  any  formal  licensing  procedure.  However,  the  NRC 
staff  has  reviewed  both  the  Preliminary  and  Final  Safety  Analysis  Re¬ 
ports  (PSAR  and  FSAR)  and  has  issued  their  Safety  Evaluation  Reports 
(SER)  in  each  case.  Although  the  recommendations  of  the  Staff  are  not 
binding,  they  have  for  the  most  part  been  considered  by  the  Applicant 
(in  this  case  DOE) . 

More  recently,  the  licensing  experience  with  CRBR  may  be  in¬ 
dicative  of  future  commercial  plant  experience.  Following  submittal 
of  the  PSAR  in  April  1975,  certain  preliminary  but  relevant  decisions 
were  made  by  both  the  Applicant  and  the  Staff.  Because  of  the  un¬ 
certainty  in  its  completion,  the  licensing  review  for  CRBR  has  been 
suspended.  In  the  following  subsection,  a  description  of  the  current 
status  of  LMFBR  licensing  and  safety  is  described  with  special  em¬ 
phasis  on  the  difference  between  LMFBR  and  LWR  safety  considerations. 

LMFBR  SAFETY  QUESTIONS 

The  maj  or  emphasis  in  the  CRBR  review,  and  indeed  a  key  concern 
for  any  large  LMFBR,  was  the  ability  of  the  plant  to  withstand  the 
consequences  of  a  core  disruptive  accident  (CDA) ,  which  involves  loss 
of  core  coolable  geometry  and  has  a  potential  for  large  energy  releases. 
The  importance  of  this  issue  in  LMFBR  safety  considerations  stems 
from  two  key  differences  between  LMFBR  and  LWR  concepts — the  core 
configurations,  and  the  reactivity  effects  of  the  coolant -moderator 
media.  In  the  case  of  LWRs ,  this  fluid  is  water.  In  the  event  of 
a  failure  to  adequately  cool  the  core,  either  resulting  from  a  loss 
of  water  or  leading  to  such  a  loss  due  to  boiling,  the  reactivity 
effect  of  the  loss  of  water  in  the  core  tends  to  shut  down  the  re¬ 
actor.  The  primary  concern  is  then  one  of  a  gradual  melting  of  the 
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core,  slumping  to  the  bottom  of  the  vessel,  and  either  an  energy  re¬ 
lease  due  to  a  fuel-water  thermal  interaction  in  the  vessel  bottom, 
or  a  melt  through  of  the  vessel.  If  the  containment  fails,  radiation 
could  be  released  to  the  environment. 

LMFBRs,  however,  have  two  inherent  features  with  the  potential 
for  producing  a  much  more  energetic  release.  First,  a  loss  of  sodium 

it 

from  the  core  tends  to  inarease  the  reactivity  of  the  reactor  core. 

This  places  more  importance  on  rapid  insertion  of  control  rods  to  reduce 
the  total  reactivity  of  the  reactor  core  plus  sodium  void  reactivity  well 
below  criticality.  Second,  because  the  core  of  an  LMFBR  contains  several 
critical  masses  of  fuel  and  is  not  in  its  "most  critical"  configura¬ 
tion  we  can  hypothesize  that  if  damaged,  it  might  at  some  point  reach 
a  new  configuration  and  attain  criticality,  even  after  shutdown,  if 
lack  of  adequate  core  cooling  led  to  core  melting  or  significant  fuel 
motion.  Thus,  although  a  distinction  is  sometimes  made  between  a 
rapid  pressure-driven  disassembly  and  a  slow  progression  to  melting, 
various  material  motions  (e.g.,  fuel  motion  or  compaction)  can  lead  to 
reactivity  additions  in  either  case.  These  reactivity  additions,  in 
turn,  could  lead  to  energy  release  in  the  event  of  failure  of  the  plant 
protection  system. 

The  two  accident  scenarios  receiving  the  most  attention  for  CRBR 
are  the  transient  overpower  accident  (TOP)  and  loss  of  flow  accident 
(LOF),  both  with  failure  to  scram  (failure  of  the  plant  protection 
system  to  shutdown  the  reactor) .  In  either  case  the  reactor  is  assumed 
to  be  operating  at  steady  state  (near  design  power)  at  the  time  of 
accident  initiation.  The  failure  to  scram  causes  a  power/flow  mis- 
match  with  ultimate  material  motions  (e.g.,  fuel  melting)  and  composi¬ 
tion  changes  (e.g.,  coolant  voiding). 

Before  the  licensing  process  was  suspended,  regulators  placed  a 
greater  emphasis  on  accidents  initiating  from  the  shutdown  state,  for 
example. 


This  is  known  as  the  positive  sodium  void  coefficient. 

•j- 

In  the  TOP  the  power  rises  at  constant  coolant  flow;  in  the  LOF 
the  coolant  flow  decreases  at  constant  power. 
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o  the  loss  of  heat  sink  with  scram,  and 

o  the  loss  of  cold  leg  piping  with  scram. 

In  these  scenarios,  the  reactor  is  shut  down,  hut  the  ability  to 
remove  decay  heat  is  impaired.  Although  the  time  scale  is  now  ex¬ 
panded  to  hours  (the  TOP  and  LOF  events  range  from  milliseconds  to 
seconds) ,  lack  of  cooling  will  ultimately  result  in  fuel  melting. 
Although  it  is  not  clear  how  energetic  such  events  will  be,  they 
clearly  belong  to  the  class  of  core  disruptive  events  considered. 

It  is  important  to  note  that  the  initial  PSAR  contained  two 
designs  to  CEBR:  the  reference  design  in  which  CDAs  were  not  con¬ 
sidered  part  of  the  design  basis,  and  the  parallel  design  (or  fall¬ 
back)  design  in  which  systems  to  accommodate  or  mitigate  CDAs  were 
included.  Subsequent  to  the  initial  docketing  of  the  PSAR,  an 
amendment  was  submitted  withdrawing  the  parallel  design,  but  "in  keep¬ 
ing  with  past  practice  of  f Irst-of-a-kind  plants  the  project  planned 
to  incorporate  features  designed  on  the  basis  of  accommodating  a  range 
of  events  including  those  having  an  exceedingly  low  probability  of 
occurrence"  [l4] .  Included  were  plans  to  "Incorporate  features  designed 
to  mitigate  consequences  of  accidents  from  loss  of  in— place  (core) 
coolable  geometry"  [14] . 

Before  suspending  formal  review  of  the  PSAR  for  CRBR,  the  NRC 
staff  Issued  preliminary  comments  and  guidance  with  respect  to  CRBR 
[14].  Although  the  views  and  positions  of  the  NRC  staff  were  in¬ 
tended  to  be  specifically  for  CRBR  and  not  intended  to  establish  pre¬ 
cedents  for  future  LMFBR  reviews,  they  are  important  because  LWR 
criteria  are  moving  in  their  direction. 

Before  continuing,  two  additional  key  differences  between  IWR 
and  LMFBR  safety  must  be  pointed  out,  both  of  which  result  from  the 
use  of  sodium,  rather  than  water,  as  the  coolant-moderator  in  LMFBRs. 
First,  sodium  is  well  known  to  be  highly  reactive  with  air  and  water; 
the  air  in  the  containment  and  the  water  from  the  steam  generators 


-13- 


can  lead  to  sodium  fires  in  the  event  of  a  sodium  leak.  This  could, 
in  turn,  lead  to  generation  of  sodium  aerosols  and  to  overpressure 
problems  of  major  concern  since  the  sodium  aerosols  would  be  highly 
radioactive  due  to  activation  of  the  primary  coolant  sodium  in  an 
LMFBR, 

A  second  difference  is  important  in  light  of  the  concern  over 
H2  generation  resulting  from  the  TMI  accident.  Such  a  large  produc¬ 
tion  of  H2,  which  resulted  from  the  H20-cladding  reaction  in  TMI,  will 
not  occur  in  the  core  of  an  LMFBR  because  there  is  no  water  in  the 
core.  On  the  other  hand,  there  is  the  possibility  of  significant 
sodium— concrete  interactions  within  the  containment  itself  should  the 
reactor  vessel  or  sodium  piping  and  components  be  breached  and  sodium 
released  into  the  containment  building.  Two  problems  that  could  re¬ 
sult  include  H2  generation  and  production  of  radioactive  sodium  aero¬ 
sols  released  into  the  containment.  Although  the  specific  recommenda¬ 
tions  for  post-accident  hydrogen  control  systems  for  the  LWR  primary 
containments  may  not  be  directly  applicable  to  LMFBRs,  tbe  question 
of  how  to  minimize  overpressure  within  the  secondary  containment  still 
arises. 

PRELIMINARY  LMFBR  DESIGN  BASES 

In  their  preliminary  comments  on  the  PSAR,  the  Staff  proposed 
that  in  addition  to  assuring  that  the  level  of  safety  achieved  for 
CRBR  be  comparable  to  that  for  LWRs  (i.e.,  that  the  consequences  of 
accidents  within  the  design  basis  envelope  are  within  the  guidelines 
of  10  CFR  100),  they  propose  the  safety  objective  [15]: 

", . .  theve  be  no  gveatev  thayi  one  ohanae  vn  one  vriZVlon  gev 
yeav  fov  potential  oonsequenoes  gveatev  than  10  CFR  100  dose 
guidelines  for  an  individual  plant..." 

To  meet  this  objective,  five  design  features  are  specified  [15] 
which  include  two  independent,  diverse,  andfunctionally  redundent 
decay  heat  removal  and  shutdown  systems. 
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It  was  further  stated  that  [15]: 

. .  the  ’pvobdb'iVity  of  core  melt  and  CDAs  can  and  must  he 
reduced  to  a  sufficiently  loo  level  to  Justify  their  ex¬ 
clusion  from  the  design  basis  accident  spectrum.  " 

Because  of  the  uniqueness  of  the  plant,  however,  NRC  further 
stipulates  that  additional  measures  be  taken  to  limit  consequences 
and  reduce  residual  risks  from  accidents  having  a  lower  probability 
than  design  basis  accidents.  To  meet  this  objective,  NRC  proposes: 
"containment  integrity  be  provided  for  at  least  24  hours 
follaoing  a  postulated  core  disruptive  accident,  " 

To  meet  this  objective,  the  following  design  basis  was  postu¬ 
lated  by  the  NRC: 

o  A  core  mechanical  work  energy  release  of  1200  NW-sec  (fuel 
vapor  expansion  to  1  atmosphere), 
o  A  sodium  release  of  1000  pounds  from  the  vessel  head, 

o  Vaporization  of  10%  of  the  core  fuel  inventory  and  direct 

release  of  this  fraction  from  the  vessel  head. 

The  24  hour  containment  integrity  requirement  was  later  with¬ 
drawn  because  it  was  based  in  part  on  considerations  contained  in  WASH— 
1400,  which  were  dropped  following  the  Lewis  Review  Report  [16]. 

RISK  CONSIDERATIONS 

Concurrent  with  the  submission  of  the  PSAR,  the  applicant  esti¬ 
mated  the  risk  [17]  of  CRBR,  and  compared  it  to  the  risk  estimated 
for  LWRs  as  given  in  WASH-1400.  The  validity  of  the  study  is  not  con¬ 
sidered  here,  but  the  results  show  that  the  major  risk  contribution 
stems  from  accidents  which  can  be  considered  beyond  the  design  basis. 
This  result  parallels  that  obtained  in  WASH-1400,  namely  that  accidents 
involving  core  melt  in  LWRs  are  the  major  risk  contributors. 

It  is  of  interest  to  note  that  in  both  cases  the  design  basis 
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in  terms  of  exceeding  the  10  CFR  100  guidelines  is  10  per  year. 
Consequences  greater  than  the  10  CFR  100  guidelines  can  occur,  re¬ 
gardless  of  their  magnitude,  providing  they  occur  with  sufficiently 
small  frequency.  Hence  two  systems  such  as  the  LWR  and  LMFBR  may 
have  quite  different  risk  estimates,  yet  they  can  both  satisfy  the 
design  basis  "acceptance"  criterion.  However,  as  noted  above,  the 
NRC  requires  both  that  the  probability  of  a  CDA  in  an  LMFBR  should  be 
reduced  to  a  low  enough  level  to  eliminate  it  as  a  design  basis 
accident,  and  that  measures  be  taken  to  mitigate  the  effects  of  such 
a  potential  CDA.  Thus  even  events  beyond  the  design  basis  may  have 
to  be  considered,  at  least  in  general  terms,  in  order  to  license 
future  LMFBRs. 
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V.  RISK  CONSIDERATIONS  FOR  SETTING  FUTURE 
LMFBR  AND  LWR  DESIGN  BASES 


As  discussed  in  Section  II,  the  quantitative  determination  of 
accidental  risk  requires  a  knowledge  of  both  the  frequency  and  the 
consequence  of  undesirable  events.  For  example,  suppose  a  given  un¬ 
desirable  event  occurred  with  a  frequency  of  once  in  10  years,  and  it 
resulted  in  100  deaths.  One  measure  of  risk  (expected  value)  rs 
their  product:  100  deaths  times  1/(10  years),  yielding  10  deaths/yr. 
The  total  risk,  in  terms  of  expected  value,  is  then  the  sum  over  all 
possible  events. 

Risk-reduction,  in  terms  of  design,  may  involve  the  use  of  re¬ 
dundant  and  reliable  systems  (e.g.,  multiple  coolant  loops)  designed 
to  minimize  the  incidence  of  potentially  serious  accidents;  highly 
reliable  safety  systems  (e.g.,  the  plant  protection  system  and  shut¬ 
down  system)  intended  to  prevent  the  progression  of  initiating  events 
into  major  accidents;  and  further  engineered  safety  systems  to  miti¬ 
gate  the  consequences  of  those  events  which  may  occur  (e.g.,  the  con¬ 
tainment  spray  system).  Consideration  of  additional  safety  systems 
or  features  for  existing  plants,  as  well  as  integrated  designs  for 
new  plants,  can  and  should  be  based  on  their  potential  for  risk- 
reduction  versus  their  cost.  Such  tradeoffs  are  generally  referred 
to  as  "risk-benefit"  analysis  or  "value- impact"  analysis. 

As  a  result  of  the  accident  at  the  Three  Mile  Island-Unit  2 
(TMI— 2)  plant,  the  Nuclear  Regulatory  Commission  (NRC)  is  considering 
means  to  cope  with  hydrogen  generation  resulting  from  an  accident. 
This  leads  to  the  consideration  of  events  beyond  the  design  basis  be¬ 
cause  such  amounts  of  hydrogen  are  generated  in  degraded  cores  (cores 
having  had  Inadequate  cooling  for  periods  of  times  that  leave  them 
only  partially  disrupted).  In  addition  to  hydrogen,  a  degraded  core 


^  •  » 

Other  approaches  include  probability  density  distribution 

functions  frequency  versus  consequence  and  complementary  cumulative 
functions  of  frequency  versus  consequence. 
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will  also  be  accompanied  by  fission  product  release  to  containment. 
Hence,  the  use  of  vent-filtered  containment  will  be  considered  for 
the  case  of  the  molten,  but  not  partially  disrupted,  core  [8,9J. 

It  is  apparent,  then,  that  any  decision  made  by  the  Commission 
that  requires  additional  safety  features  raises  substantial  issues 
concerning  an  appropriate  design  basis.  Furthermore,  one  of  the  major 
lessons  of  TMI  is  that  more  attention  needs  to  be  focused  on  dealing 
properly  with  higher  probability  (or  even  anticipated)  events  which 
can  potentially  propagate  to  large  consequences,  either  through  de¬ 
sign  failures  or  operator  error.  Future  considerations  for  both  LWR 
and  LMFBR  risk  reduction  would  include  emphasis  on  these  more  likely 
events,  in  addition  to  "beyond  the  current  design  basis  events." 

The  NRC  is  really  concerned  with  three  classes  of  accidents, 
all  of  which — not  merely  the  design  basis  accidents — must  be  care¬ 
fully  considered:  (1)  moderate-to-hlgh  probability,  relatively  low 
consequence  events;  (2)  design  basis  accidents;  and  (3)  accidents 
beyond  the  design  basis.  As  we  have  seen,  the  current  emphasis  is  to 
design  for  a  DBA,  under  the  assumption  that  lower  consequence  events 
will  be  accommodated  if  DBAs  are  and  that  the  probability  of  higher 
consequence  accidents  is  low  enough  not  to  warrant  their  explicit 
consideration. 

At  what  level  of  detail  must  these  categories  of  accidents  be 
analyzed?  One  previously  known  fact  that  TMI  has  illustrated  more 
graphically  is  that  consequences  approaching  those  of  a  DBA  are  not 
limited  to  Initiating  events  such  as  a  large  pipe  leak;  the  key  to 
avoiding  such  events  appears  to  be  in  a  recognition  of  the  types  of 
events  and  combination  of  events  which  could  ultimately  lead  to  serious 
consequences — usually  involving  loss  of  core-coolable  geometry. 


Actually,  there  is  a  whole  series  of  events  of  varying  conse¬ 
quences  and  probabilities  (e.g..  Table  A.l  and  A. 2  of  the  Appendix), 
many  of  which  are  specially  included  in  the  design. 
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A  major  LMFBR  effort  is  being  carried  out  to  assess: 

1.  those  types  of  major  loss— of— flow  or  transient  overpower  ^ 
accidents  which  lead  to  the  onset  of  boiling  in  the  core, 

2,  the  sequence  of  events  following  the  initiation  of  sodium 
boil ing; 

3.  possible  mechanisms  to  reduce  the  likelihood  of  sodium 
boiling,  or  to  mitigate  its  effects;  and 

4,  the  effects  of,  and  possible  designs  to  reduce  the  impact 
of,  core  meltdown  or  disassembly  accidents. 

This  effort  includes  both  experimental  studies  (e.g.,  the  TREAT 
reactor)  and  computer  simulations  (e.g.,  the  SAS  and  MELT  codes  [18]). 
However,  what  should  be  done  to  help  assure  that  a  more  likely,  sup 
posedly  benign,  initiating  event  does  not  lead  to  such  an  accident? 

The  methods  used  in  the  Reactor  Safety  Study  [11]  (RSS)  are 
being  used  in  the  LMFBR  industry  to  assess  the  potential  impacts 
of  all  types  of  initiators.  That  is,  all  conceivable  initiating 
events  (e.g.,  loss  of  offsite  power,  loss  of  one  or  more  pumps,  steam 
generator  failure,  etc.),  including  those  where  scram  has  occurred, 
are  first  modeled  by  event  trees,  which  consider  the  probabilities 
and  consequences  of  all  subsequent  system  and  operator  actions.  As 
was  done  in  the  RSS,  some  sort  of  probabilistic  cutoff  needs  to  be 
considered  at  this  point,  lest  the  total  number  of  accident  sequences 
becomes  unmanageable.  This  is  one  of  the  key  issues  which  must  be 
addressed — the  selecting  of  design  basis  safety  criteria  for  LMEBRs. 


Since  the  specific  conditions  required  to  produce  loss  ox 
core-coolable  geometry  or  a  core  disassembly  accident  in  an  LMFBR 
are  subject  to  much  debate,  the  onset  of  sodium  boiling  at  the  top 
of  the  core  is  often  used  as  a  signal  that  some  type  of  core  damage 
could  ensue. 
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I  suggest  that  the  basis  for  such  criteria  lies  in  the  concept, 

■k  _ 

expressed  earlier  for  CRBR,  that  the  level  of  safety  to  be  achieved 
for  an  LMFBR  be  comparable  to  that  attached  for  LWRs  [15] .  An  example 
of  how  such  criteria  might  be  quantified  [19]  would  be  to  first  de- 
determine  an  overall  design  basis  criterion  (e.g. ,  a  probability  of 
10  ^  or  10  ^  per  year  of  exceeding  10  CFR  100).  Next,  the  prob¬ 
ability  that  loss  of  core-coolable  geometry  leads  to  exceeding  10  CFR 
100  would  be  determined  for  a  specific  concept.  Finally,  the  maximum 
allowable  probability  of  an  accident  leading  to  loss  of  core-coolable 
geometry  would  be  derived  from  the  previous  two  criteria.  Note  that, 
since  the  consequences  of  an  energetic  CDA  in  an  LMFBR  can  be  more 
severe  than  an  LWR  meltdown,  it  may  be  necessary  to  (1)  require  lower 
probabilities  on  accident  initiators  for  LMFBRs,  (2)  require  addi¬ 
tional  safety  systems  to  lower  the  probability  that  any  initiating 
event  could  lead  to  loss  of  core-coolable  geometry,  or  (3)  provide 
increased  containment  capability. 

Thus  it  might  be  demonstrated  that  an  adequate  level  of  safety 
for  the  LMFBR  requires  analysis  of  even  more  types  of  accidents,  both 
high  probability-low  consequence  and  low-probability-high  conse¬ 
quence.  Furthermore,  differences  between  LWR  and  LMFBR  safety  will 
Involve  the  specific  differences  associated  with  water  and  sodium 
systems,  for  example: 

o  generation  in  LWR  core  and  containment  vs.  the 

sodium  fire  problem  and  sodium  concrete  Interaction 
in  LMFBRs. 

o  The  sodium  void  effect  in  LMFBRs,  and 

o  The  difference  in  heat  transfer  characteristics;  for 

example,  LMFBRs  may  be  more  "forgiving"  for  short-term 
transients  due  to  the  large  heat  capacity  in  the  sodium. 


*I  distinguish  risk  from  safety  in  the  following  way:  Risk  and 
safety  are  complementary  terms,  the  safer  something  is,  the  less 
risky  it  is. 

Note  that  this  has  not  been  achieved  by  LWRs. 


20 


and  near-atmospheric  pressure  operation  far  below  the 
boiling  point  of  the  coolant. 

In  spite  of  these  differences,  there  appear  to  be  enough  simi- 
liarities  in  these  systems  so  that  many  general  safety  criteria  can 
be  employed  in  either  case.  Although  details  of  the  physical  phenom¬ 
ena  may  be  greatly  different  and  the  trade-off  between  accident  prob¬ 
abilities  and  consequences  will  be  different,  there  are  many  areas  of 
similiarities.  Specifically,  shutdown  systems  and  control  room  logic 
will  require  similar  considerations;  in  addition,  the  type  and  nature 
of  initiating  events  are  quite  similar  [17].  And,  finally,  the  future 
design  basis  for  both  LMFBR  and  LWR  safety  review  can  and  should  be 
based  on  similar  risk  considerations. 


VI.  OTHER  CONSIDERATIONS  RAISED  BY 
THE  THREE  MILE  ISLAND  ACCIDENT 


Although  the  purpose  of  this  Note  has  been  to  consider  the  de¬ 
sign  basis  accident  issue,  other  issues  of  at  least  equal  signifi¬ 
cance  to  the  safety  and  licensing  of  LMFBEs  have  arisen  from  the 
TMI-2  accident.  Although  they  will  not  be  discussed  in  detail  here, 
their  importance  justifies  commenting  on  several  of  them. 

First,  the  level  of  operator  training  at  Three  Mile  Island  was 
considered  "inadequate  and  contributed  significantly  to  the  serious¬ 
ness  of  the  accident,"  although  "the  TMI  training  program  conformed 
to  the  NRC  standard  for  training"  [6].  Because  of  the  potential 
for  large  consequence  accidents  with  LMFBRs,  the  adequacy  of  train¬ 
ing  of  reactor  operators  is  just  as  important  in  both  cases.  Further¬ 
more,  many  of  the  specific  recommendations  which  may  eventually  be 
implemented  for  LWR  operator  training  will  be  directly  applicable 
for  LMFBR  operators.  For  example,  the  President's  Commission  [6] 
cited  the  facts  that  "simulator  training  did  not  include. . .multiple- 
failure  accidents,"  and  that  "there  was  no  formally  defined  training 
program  for  [auxiliary  operators]."  LMFBR  designs  can,  however,  pro¬ 
vide  some  margin  for  operator  error  in  many  situations,  since  the 
high  heat  capacity  of  concepts  with  large  primary  sodium  inventories 
can  allow  several  hours  of  "grace  period"  before  emergency  core  cool¬ 
ing  becomes  necessary. 

In  light  of  the  importance  of  operator  actions,  the  President's 
Commission  also  recommended  that  "Equipment  should  be  reviewed  from 
the  point  of  view  of  providing  information  to  operators  to  help  them 
prevent  accidents  and  to  cope  with  accidents  when  they  occur.  This 
includes  monitoring,  warning  and  diagnostic  equipment  for  both  normal 
and  abnormal  situations,  and  should  utilize  computer  technology  where 
relevant.  (See,  for  example.  Reference  20.)  Other  equipment-related 
recommendations  Include  the  need  to  design  systems  and  maintenance 
procedures  to  mitigate  accident  consequences.  Specifically,  systems 
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for  isolation,  filtering,  venting,  hydrogen  recombining,  and  measur¬ 
ing  coolant  levels  are  key  items  mentioned. 

The  Commission  also  pointed  out  that  increased  awareness  should 
be  given  to  accident  recovery,  clean-up  and  waste  disposal,  and  the 
health  hazards  arising  from  these  operations.  This  will  be  even  more 
important  for  LMFBR  licensing  and  safety  due  to  the  extremely  reactive 
nature  of  the  coolant,  the  activation  of  the  primary  coolant,  and 
contamination  of  the  core,  piping,  and  all  loop  components  with  solid¬ 
ified  sodium  even  after  their  removal  from  the  system. 

Other  health  and  safety  measures  were  recommended  which  have  no 
specific  bearing  on  LMFBR  safety.  However,  LMFBR  safety  should  con¬ 
sider  these  measures  (e.g.,  the  biological  effects  of  low-level  ra¬ 
diation  j  as  they  speoifically  relate  to  the  levels  and  types  of  iso¬ 
topes  prohlematic  to  LMFBRs. 

Some  reliability  and  risk  assessment  considerations  can  also  be 
pointed  out  which  supplement  those  corresponding  to  the  Design  Basis 
Accident  issues.  First,  there  is  a  need  to  analyze  multiple  failure 
accidents,  especially  considering  human  failures.  Second,  the 
President's  Commission  emphasized  the  need  to  continue  "in-depth 
studies... on  the  probabilities  and  consequences  (on-site  and  off¬ 
site)  of  nuclear  power  plant  accidents,  Including  the  consequences  of 
meltdown"  [6j.  Finally,  as  a  supplement  to  Design  Basis  Accident 
analysis,  the  Commission  reiterated  the  necessity  of  considering  those 
accident  initiators  of  lower  consequence  (but  greater  likelihood) 
than  DBA's,  again  "with  particular  attention  to  human  failures." 

In  addition  to  these  factors,  the  TMI  accident  has  brought  up 
such  fundamental  issues  as  reactor  siting,  emergency  preparedness, 
consideration  of  degraded  cores,  the  current  differentiation  between 
safety  and  non-safety  systems,  and  the  entire  licensing  and  review 
process  itself.  An  in-depth  discussion  of  such  issues  is  not  appro¬ 
priate  here;  such  questions  should  be  given  more  detailed  treatment 
separately.  However,  I  will  briefly  review  some  of  these  points. 

First,  with  regard  to  emergency  preparedness  planning  and  siting 
policy,  the  former  has  "had  a  low  priority  in  the  NRC  and  the  AEC 
before  it"  [b].  The  only  NRC  requirement  has  been  to  develop  such 
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emergency  plans  for  the  low  population  zone  (LPZ) — an  area  around 
each  plant  with  low  enough  population  density  that  such  plans  were 
expected  to  be  feasible.  In  the  case  of  TMI ,  this  zone  was  a  2— mile 
radius  around  the  plant.  In  this  specific  instance,  Pennsylvania  law 
was  stricter  and  required  planning  within  a  5-mile  zone.  However,  dur¬ 
ing  the  accident  Itself,  the  specific  circumstances  led  the  NRC  to 
believe  that  the  consequences  could  exceed  even  the  5-mlle  radius; 
thus,  evacuation  plans  extending  out  to  20  miles  "were  hurriedly  de¬ 
veloped"  [6] .  The  Implications  for  LMFBR  siting  and  emergency  pre¬ 
paredness  are  clear.  Due  to  the  potentially  severe  consequences  of 
major  LMFBR  accidents,  and  in  addition  to  engineered  systems  to  miti¬ 
gate  the  effects  of  such  accidents,  the  following  [6]  should  be  strong¬ 
ly  considered: 

1.  New  siting  policies,  including  remote  siting  where  possible, 
must  be  considered  for  LMFBRs  to  be  licensable. 

2.  Emergency  plans  must  be  carefully  drawn  up  encompassing  a 
vjider  range  of  accidents,  with  separate  plans  drawn  up  for 
each  of  a  wide  range  of  events.  These  plans  should  cover 
several  zones  of  population  density,  extending  well  past  cur¬ 
rent  LPZs,  and  with  different  levels  of  action  to  be  taken 

in  each  zone. 

3.  Plans  should  extend  out  to  include  areas  receiving  even  lower 
levels  of  radiation  than  currently  considered. 

4.  Means  of  countevaQting  or  protecting  against  radiation  hazards 
should  be  considered. 

5.  The  public  should  be  better  informed  about  such  plans,  their 
purpose,  and  the  hazards  involved,  well  in  advance. 

I  have  already  alluded  to  some  problems  resulting  from  degradation 
of  core  integrity.  TMI-Z  was  not  the  first  nuclear  reactor  to  sustain 
core  damage.  In  fact,  one  LMFBR,  the  Enrico  Fermi  Fast  Breeder 


^Estimates  for  TMI-2  include  cladding  failures  in^90%  of  the  fuel 
rods,  and  fuel  tenperatures  in  the  range  of  4000-5200  F,  possibly 
Including  fuel  melting  [6J. 
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Reactor,  had  previously  sustained  a  partial  meltdown  within  two  fuel 
elements  in  1966,  due  to  a  coolant  inlet  blockage  [21].  Although  the 
damage  was  confined  to  the  fuel  elements  directly  affected,  and  the 
reactor  was  safely  shut  down,  this  incident,  along  with  the  TMI  acci¬ 
dent,  indicates  that  core  damage  is  not  as  remote  a  possibility  as 
was  once  believed.  It  is  now  doubly  Important  not  only  to  more  care¬ 
fully  examine  the  potential  Impacts  of  degraded  core  accidents  upon 
the  health  and  safety  of  the  general  population,  but  also  to  consider 
systems,  both  in-core  and  ex-vessel,  to  contain  and/or  mitigate  the 
effects  of  a  damaged  core.  Such  systems  would  include  auxiliary  core¬ 
cooling  systems,  ex-vessel  cooling  systems,  in-vessel  and  ex-vessel 
"core  catchers,"  containment  isolation  and  venting  systems,  etc. 

Next  we  can  point  out  a  potential  problem  concerning  the  tradi¬ 
tional  separation  of  nuclear  power  plant  systems  into  safety-grade 
and  non— safety-grade  classes.  In  the  past,  those  systems  considered 
specifically  as  safety  systems  were  subject  to  significantly  more 
rigorous  criteria  and  qualification  than  "non-safety"  systems.  It 
may  have  taken  the  accident  at  TMI  to  indicate  the  importance  of  many 
of  these  "non-safety"  systems  in  performing  distinctly  safety-related 
functions  during  an  accident  situation,  or  in  initiating  or  complicat¬ 
ing  an  accident  situation.  As  recent  events  now  suggest,  it  may  be 
time  to  consider  either  1)  softening  this  rigid  distinction  and  re¬ 
classifying  many  non-safety  systems  as  safety-related,  or  2)  providing 
additional  dedicated  safety  systems  as  a  back-up  to  non-safety  systems. 

Finally,  although  this  Note  is  not  directly  concerned  with 
changes  that  may  occur  in  the  licensing  or  review  process,  I  have  in¬ 
dicated  some  areas  where  specific  changes  are  likely  to  occur.  As  a 
result  of  TMI,  changes  in  the  NRC’s  operation  and  in  the  overall  licens¬ 
ing  process  are  occurring  and  will  continue  to  occur  over  the  next  few 
years.  There  should  be  ample  time  and  incentive  for  those  Involved  in 
LMFBR  safety  and  licensing  to  learn  from  the  near  term  LWR  licensing 
experience  and  apply  it  to  the  case  of  the  LMFBR. 


VII.  FINDINGS  AND  RECOMMENDATIONS 


This  Note  has  reviewed  the  concepts  of  the  design  basis  and 
design  basis  accidents  and  their  use  in  the  licensing  process  for 
nuclear  power  plants.  I  have  also  reviewed  the  issues  relating  to 
these  concepts  raised  by  the  accident  at  Three  Mile  Island— Unit  2 
and  how  they  may  affect  the  LMFBR  option.  Lastly,  I  considered  the 
concept  of  risk  and  how  it  can  be  used  in  setting  design  basis. 

At  present,  the  design  basis  for  nuclear  power  plant  licensing 
is  the  assurance  that  accidents  which  occur  with  a  frequency  of 
approximately  10“^/yr  or  greater,  must  have  a  dose  no  greater  than 
25  REM  whole  body  (300  REM  thyroid)  at  the  site  boundary.  This  de¬ 
sign  basis  has  been  used  to  establish  criteria  for  the  design  of 
engineered  safety  features  incorporated  into  Light  Water  Reactors. 
Accidents  whose  frequency  is  less  than  10  /yr  are  excluded  from 
consideration  regardless  of  their  consequences.  As  a  result,  ac¬ 
cidents  postulated  to  occur  in  LWRs,  and  leading  to  core  melt  (e.g. 
LOCA)  are  excluded  from  the  design  basis.  This  exclusion  is  usually 
justified  on  the  basis  of  low  probability. 

Similarly,  during  the  preliminary  licensing  review  for  CEBR, 
and  as  I  postulate  for  future  LMFBRs  as  well,  the  goal  was  to  in¬ 
sure  a  level  of  safety  "comparable  to  the  LWR"  by  using  a  similar 
design  basis.  One  objective  was  to  prove  that  core  disruptive 
accidents  were  of  sufficiently  low  probability  that  they  were  ex¬ 
cluded  from  the  design  basis.  If  this  cannot  be  shown  for  commercial- 
sized  LMFBRs,  then  other  criteria,  as  I  discussed  in  Section  V, 
should  be  instituted.  Accidents  falling  within  the  design  basis 
were  required  to  conform  to  the  dose  limits  set  for  LWRs. 

Because  CEBR  was  to  be  the  first  of  a  kind,  additional  safety 
features  were  to  be  incorporated  in  an  effort  to  reduce  residual 
risk.  As  a  result  of  the  TMI-2  accident,  the  NRC  staff  is  considering 
the  possibility  of  including  events  beyond  the  design  basis  in  the 
licensing  review  of  LWRs.  Such  events  might  include  consideration  of 
degraded  cores,  partially  melted  cores  and  core  melt  Itself.  In 
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particular,  the  use  of  vent- filtered  containment  and  a  need  to  estab¬ 
lish  a  new  design  basis  for  hydrogen  production  will  be  addressed. 
Similar  specific  problems,  such  as  sodium  fires  (already  being  con¬ 
sidered)  and  containment  venting  must  be  addressed  for  LMFBRs. 

FINDINGS 

In  spite  of  differences  in  details,  I  find  many  similarities 
in  the  licensing  approach  for  LWRs  and  LMFBRs.  In  particular  the 
range  of  initiating  events  and  their  frequency  of  occurrence  are 
similar,  although  their  potential  consequences  may  be  an  order  of  mag¬ 
nitude  larger  for  the  LMFBR. 

Engineered  safety  features  will  be  incorporated  into  each  system 
so  that  they  will  conform  to  whatever  design  basis  is  ultimately 
adopted.  If  the  design  basis  is  intended  to  set  a  safety  goal,  and 
is  based  on  risk-benefit  or  value- impact  considerations,  both  the 
LWR  and  the  LMFBR  options  can  achieve  the  same  level  of  safety. 
Moreover,  some  of  the  LWR  safety  research  program,  especially  in 
the  area  of  probabilistic  risk  assessment,  could  be  utilized  if  and 
when  the  LMFBR  option  is  ready  for  deployment. 

The  NRC  staff's  Long  and  Short-Term  Lessons  Learned  Task  Force 
Reports  [8,9]  have  already  been  shaped  into  an  Action  Plan  [22]  which 
will  be  implemented  over  the  next  few  years.  Many  of  the  more  general 
changes  required  by  that  Action  Plan  will  be  directly  or  indirectly 
applicable  to  the  LMFBR  option.  This  applies  both  to  the  Design  Basis 
Issue,  as  well  as  to  the  additional  question  discussed  in  Section  VI. 
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RECOMMENDATIONS 

In  light  of  the  DBA  Issues  discussed  in  this  Note,  and  the 
additional  questions  discussed  in  Section  VI,  the  following  are  rec¬ 
ommended  : 

1.  The  NE.C  is  actively  pursuing  the  possibility  of  develop¬ 
ing  quantitative  risk  criteria  for  LWRs .  DOE  should 
become  an  active  participant  in  the  dialogue  which  the 
NRC  will  undertake  during  these  considerations. 

2.  The  NRC  Staff  Action  Plan  includes  some  subjects  whose 
resolution  may  impact  directly  on  LMFBRs.  In  particular 
the  following  matters  appear  to  be  of  special  importance: 

a)  Siting  policy 

b)  Degraded  core  accidents 

c)  Reliability  engineering 

The  resolution  of  these  issues  may  lead  to  a  major  departure 
from  the  single  failure  criterion,  important  new  restrictions  on 
siting,  and  requirements  for  design  features  to  mitigate  accidents 
involving  severe  core  damage  or  core  melt. 

3.  Other  features  receiving  new  attention  in  LWR  safety  re¬ 
view  include  a  rethinking  of  the  previously  accepted 
differentiation  between  safety  and  non-safety  systems. 

A  new  philosophic  approach  may  be  developed  which  could 
affect  LMFBR  design.  Similarly,  greater  emphasis  is 
being  given  to  the  potential  use  of  dedicated  shutdown 
heat  removal  systems. 

4.  A  much  more  detailed  analysis  of  system  behavior  for  a  wide 
range  of  complex  transients  in  addition  to  DBA's  is  likely 
to  become  a  requirement.  This  should  be  factored  into  a 
wide  range  of  activities  including  the  following: 
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o  engineering  and  operator  training  simulators 
o  emergency  procedures  prepared  in  a  disciplined,  optimal 
fashion 

o  systems  for  disturbance  analysis  and  other  Improvements 
in  helping  the  operator  diagnose  a  complex  event. 

5.  A  design  basis  founded  on  risk  criteria  (i.e.,  frequency  of 
occurrence  and  consequences  in  terms  of  health  effects, 
applicable  for  both  LWRs  and  LMFBRs)  should  be  adopted.  These 
risk  criteria  have  been  established  only  to  a  limited  extent 
for  the  LlsTR  design,  and  the  NRC  has  committed  Itself  to 
establishing  a  more  complete  set  of  safety  criteria  for  LWRs 
before  the  end  of  this  year. 
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Appendix 

FREQUENCY  AND  CONSEQUENCES  OF  MODERATE,  SMALL,  AND  UNLIKELY  EVENTS: 

DESCRIPTION  AND  EXAMPLES 


This  appendix  describes  by  example  the  concept  of  moderate,  small, 
and  unlikely  events  as  applied  to  both  light  water  reactors  and  liquid 
metal  fast  breeder  reactors.  Much  of  this  appendix  is  adapted  from 
Reference  1.  For  the  purpose  of  evaluation,  light  water  reactor  (LWR) 
accidents  are  usually  categorized  as  I7J: 

A.  Events  of  moderate  frequency  (anticipated  operational 
occurrences)  leading  to  no  abnormal  radioactive 
releases  from  the  facility. 

B.  Events  of  small  probability  with  the  potential  for 
small  radioactive  release  from  the  facility. 

C.  Highly  unlikely  accidents  (potentially  severe  accidents 
of  extremely  low  probability,  postulated  to  establish 
performance  requirements  of  engineered  safety  features 
and  site  acceptability) . 

Table  A.l,  taken  from  WASH-1250  [1,7],  contains  some  examples  of 
the  events  and  postulated  accidents  used  in  preparation  of  both  the 
preliminary  and  final  safety  analysis  reports  (SARs)  required  by  NRC. 

It  is  important  to  note  that  in  the  1978  NRC  publication,  NUREG-0438 
[10] ,  the  approximate  frequencies  assigned  to  these  categories  are: 

Category  A  Several  times/year 

Category  B  1/10  to  1/100  per  year 

Category  C  1/1000  to  10,000  per  year 

For  these  accidents,  it  must  be  shown  that  the  radiological  con¬ 
sequences  of  the  accident  are  within  the  guidelines  set  forth  in  10 
CFR  100  [3].  Furthermore,  Category  C  accidents  are  termed  Design 
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Table  A.l 

EXAMPLES  OF  POSTULATED  REACTOR  FACILITY  ACCIDENTS  BY  CATEGORY 

A.  Moderate  Frequency  Events  (no  abnormal  radioactive  release  from 
the  facility) 

1.  Withdrawal  of  control  rod  at  maximum  speed  due  to  malfunction 
or  error, 

2.  Failure  of  one  safety  rod  to  scram. 

3.  Partial  loss  of  normal  forced  reactor  coolant  flow. 

4.  Unintentional  startup  of  an  inactive  reactor  coolant  loop. 

5.  Loss  of  external  electrical  load  and/or  turbine  trip. 

6.  Loss  of  off-site  electrical  power. 

7.  Excessive  load  increase. 

a 

8.  Loss  of  normal  feedwater  flow 

9.  Inadvertent  depressurization  of  the  primary  coolant  system. 

B.  Infrequent  Accidents  of  Small  Probability  (abnormal  radioactive 
release  possible,  but  not  expected)^ 

1.  Small  leaks  and  breaks  in  pipes  (or  minor  leaks  in  large  primary 
or  secondary  system  pipes) 

2.  Inadvertent  loading  of  a  fuel  assembly  into  an  improper  position. 

3.  Complete  loss  of  normal  forced  reactor  coolant  flow. 

4.  Complete  loss  of  all  A-C  power  (station  blackout), 

5.  Major  leakage  in  radioactive  waste  decay  tank. 

C.  Highly  Unlikely  Accidents  (postulated  for  evaluating  site 
acceptability) c 

1.  Major  rupture  of  pipes  containing  reactor  coolant  up  to  and 
including  double-ended  rupture  of  largest  pipe  in  the  primary 
coolant  system  (loss  of  coolant  accident). 

2.  Major  secondary  or  steam  system  pipe  rupture  up  to  and  including 
double-ended  rupture  of  a  main  steam  pipe. 

3.  -Control  rod  ejection. 

4.  Severe  fuel  handling  accident. 

5.  Tornadoes,  flooding,  and  earthquakes. 

SOURCE:  Ref.  7. 

is  of  interest  to  note  that  the  recent  accident  at  Three  Mile 
Island  was  apparently  initiated  by  a  loss  of  normal  feedwater  flow, 
compounded  by  valve  failure  and  operator  error. 

^May  exceed  the  guidelines  of  10  CFR  Part  20. 

^ay  not  exceed  the  guidelines  of  10  CFR  Part  100. 
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Basis  Accidents  because  they  are  used  to  set  performance  requirements 
for  engineered  safety  features  of  the  plant  (e.g.,  the  emergency  core 
cooling  system) . 

Table  A. 2  illustrates  an  alternative  classification  of  accidents 
for  LWRs  which  is  used  in  the  preparation  of  environmental  impact  re¬ 
ports.  We  note  that  Classes  1  through  8  are  basically  the  same  as 
Categories  A  through  C  (which  appear  in  the  SAR) .  Of  particular  in¬ 
terest  is  the  Class  9  accident  which  lies  outside  the  design  basis. 
Should  a  Class  9  accident  occur,  it  would  result  in  radiological  con¬ 
sequences  greater  than  those  specified  in  lOCFRlOO. 

It  is  important  to  note  that  the  precedent  used  in  setting  the 

—6 

design  basis  accident  is:  "an  overall  safety  objective  of  10  per 
year  and  an  objective  for  individual  events  of  10  per  year"  [2]. 

The  Reactor  Safety  Study,  WASH-1400  [11]  attempts  to  estimate 
the  frequency  and  consequences  of  all  accidents  (including  Class  9) 
that  could  occur  in  LWRs.  In  general,  the  results  indicate  that  the 
frequency  of  the  dominant  contributor  to  risk  (core  melt)  in  the 
plants  studied  is  about  5  x  10“^  per  reactor  year,  with  only  about 
2  percent  of  the  core  melt  events  resulting  in  early  fatalities  [11]. 
Table  A. 3,  obtained  from  the  draft  version,  indicates  the  range  of 
frequencies  considered.  (It  should  be  noted  that  postulated^accidents 
PWR-8,  PWR-9,  BWR-5,  and  BWR-6,  do  not  result  in  core  melt.) 

An  important  conclusion  of  the  Reactor  Safety  Study  is  that  tran¬ 
sient  events  are  small  contributors  to  the  overall  frequency  of  a  core 
melt  in  the  pressurized  water  reactor  (PWR)  studies,  while  they  domi¬ 
nate  the  boiling  water  reactor  (BWR)  risk.  The  NRC  staff  has  reviewed 
the  extent  to  which  Anticipated  Transients  Without  Scram  (ATWS) 


*PWR  =  pressurized  water  reactor;  BWR  =  boiling  water  reactor. 
The  integer  corresponds  to  a  particular  release  category  described 
in  WASH-1400  [11] . 
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Table  A. 2 

REACTOR  FACILITY  CLASSIFICATION  OF  POSTULATED  ACCIDENTS 

AND  OCCURRENCES 


No .  of 

Class  Description 

1  Trivial  incidents 

2  Miscellaneous  small  re¬ 

leases  outside  contain¬ 
ment 

3  Radwaste  system  failures 

4  Events  that  release  radio¬ 

activity  into  the  primary 
system 

5  Events  that  release  radio¬ 

activity  into  secondary 
system 

6  Refueling  accidents  inside 

containment 


7  Accidents  to  spent  fuel 
outside  containment 


8  Accident  initiation  events 
considered  in  design-basis 
evaluation  in  Safety  Anal¬ 
ysis  Report 

9  Hypothetical  sequences  of 
failures  more  severe  than 
Class  8  (but  having  much 
lower  probability  of 
occurrence) 


Example 
Small  spills. 

Small  leaks  inside  containment. 
Spills . 

Leaks  and  pipe  breaks. 


Equipment  failure. 

Serious  malfunction  or  human  error. 

Fuel  defects  during  normal  operation. 
Transients  outside  expected  range 
of  variables. 

Class  4  and  heat  exchanger  leak. 


Drop  fuel  element. 

Drop  heavy  object  onto  fuel. 

Mechanical  malfunction  or  loss  of 
cooling  in  transfer  tube 

Drop  fuel  element. 

Drop  heavy  object  onto  fuel. 

Drop  shielding  cask;  loss  of 

cooling  to  cask,  transportation 
incident  on  site. 

Reactivity  transient. 

Rupture  of  primary  piping. 

Decrease  of  flow  or  steamline  break. 

Successive  failures  of  multiple 
barriers  normally  provided  and 
maintained. 


SOURCE:  Ref.  7. 
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Table  A. 3 

PROBABILITIES  OF  INDIVIDUAL 
RELEASE  CATEGORIES 


PWR  BWR 


Accident 

Accident 

Release 

Probability 

Release 

Probability 

Category 

per  Year 

Category 

per  Year 

PWR  1 

7  X 

10  ^ 

BWR  1 

9 

X  10“^ 

PWR  2 

5  X 

10“^ 

BWR  2 

2 

X  10"^ 

PWR  3 

5  X 

1 

o 
1— 1 

BWR  3 

1 

X  lO"^ 

PWR  4 

5  X 

1 

o 
1— 1 

BWR  4 

3 

O 

1 

PWR  5 

1  X 

10"^ 

BWR  5^ 

1 

X  10  ^ 

PWR  6 

1  X 

10“^ 

BWR  6^ 

1 

X  10“ 

-5 

PWR  7 

6  X 

10 

PWR  8^ 

4  X 

10"^ 

b 

^-4 

PWR  9 

4  X 

10 

SOURCE:  Ref.  II. 

Frequency. 

^Assumed  not  to  result  in  core  melt. 
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contribute  to  the  overall  frequency  of  core  melt  [2].  Based  on 
this  review,  the  Staff  in  Volumes  I  and  II  of  NUREG— 0460  concluded 
that  ATWS  events  would  be  "significant"  contributors  to  the  overall 
probability  of  core  melt  in  future  reactors.  Some  of  the  factors 
prompting  this  conclusions  are  these: 

1.  The  PWR  studied  in  WASH-1400  is  not  representative  of  all 
PWRs  (not  necessarily  of  future  designs) . 

2.  The  inclusion  in  the  analysis  of  non-core  melt  sequences 
such  as  steam-generator  tube  failure. 

3.  The  lack  of  the  recirculation  pump  trip  in  some  BWRs. 

4.  The  inclusion  of  analyses  not  considered  in  WASH-1400,  such 
as  unavailability  of  various  mitigating  systems. 

Based  on  these  considerations,  Volumes  I  and  II  of  NUREG-0460  contain 
proposed  acceptance  criteria  for  existing  and  proposed  IWRs. 

Concurrent  with  the  NRG  staff  review  of  ATWS  events,  the  NRG 
commissioned  a  review  of  the  Reactor  Safety  Study,  the  results  of 
which  appeared  in  NUREG/CR-0400  [16]  several  months  after  publication 
of  NUREG-0460.  Of  particular  interest  to  this  study  are  the  follow¬ 
ing  findings  of  the  Review  Group: 

1.  "WASH- 1400  was  largely  successful  in  at  least  three  ways:  in 
making  the  study  reactor  safety  more  rational,  in  estab¬ 
lishing  the  topology  of  many  accident  sequences,  and  in  de¬ 
lineating  procedures  through  which  quantitative  estimates 

of  the  risk  can  be  derived  for  those  sequences  for  which  a 
data  base  exists." 

2.  "We  are  unable  to  determine  whether  the  absolute  probabili¬ 
ties  of  accident  sequences  in  WASH-1400  are  high  or  low, 
but  we  believe  that  the  error  bounds  on  those  estimates  are, 
in  general,  greatly  understated.  This  is  true  in  part  be¬ 
cause  of  an  inability  to  quantify  common  cause  failure,  an 
Inadequate  data  base  in  many  cases,  and  in  part  due  to  some 
questionable  methodological  and  statistical  procedures. 
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Among  the  several  recommendations,  the  Review  Group  stated: 


1.  Reevaluate  NRC's  inspection  and  quality  assurance 
system,  and  licensing  criteria  to  determine  the 
extent  to  which  they  incorporate  those  things  that 
have  been  learned  from  WASH- 1400  and  other  relevant 
literature. 

2.  In  general,  avoid  the  use  of  the  probabilistic  risk 
analyses  methodology  for  the  determination  of  abso¬ 
lute  risk  probabilities  for  subsystems  unless  an 
adequate  data  base  exists  and  it  is  possible  to 
quantify  the  uncertainties. 

3.  Fault  tree/event  tree  analysis  should  be  among  the 
principal  means  used  to  deal  with  generic  safety 
issues,  to  formulate  new  regulatory  requirements, 
to  assess  and  revalidate  existing  regulatory  re¬ 
quirements  and  to  evaluate  new  designs. 

It  is  interesting  to  note  that  in  a  small  subsection  on  ATWS 
events  the  Review  Group  quotes  some  of  the  results  of  NTJREG-0460, 
Volumes  I  and  II,  claiming  an  improvement  of  the  ATWS  calcula¬ 
tions  over  those  in  WASH— 1400  but  cautioning  extrapolation  to  a 
full  nuclear  Industry. 

Following  release  and  publication  of  the  Review  Group's  re¬ 
port,  the  NRG  staff  published  Volume  III  of  NUREG-0460  which  re¬ 
evaluates  their  position  on  ATWS  acceptance  criteria.  In  Section 
III,  the  originally  proposed  ATWS  acceptance  criteria  and  the  re-’ 
evaluated  criteria  are  reviewed. 

It  should  also  be  noted  that  following  publication  of  these 
three  reports  (NirREG-0460 ,  Vols.  I,  II,  and  III,  and  NUREG-CR-0400) 
the  NRG  Commissioners  issued  a  statement  concerning  the  Reactor 
Safety  Study  [7].  Of  particular  interest  here  is  the  following 
statement  included  in  their  cover  letter: 

The  quantitative  estimates  of  event  probabilities  in 

the  RSS*  should  not  be  used  as  the  principal  basis  for 


*Reactor  Safety  Study. 
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any  regulatory  decision.  However,  these  estimates  may  be 
used  for  relative  comparisons  of  alternative  designs  or 
requirements  provided  that  explicit  considerations  are 
given  to  the  criticisms  of  those  estimates  as  set  forth 
in  the  Report  of  the  Risk  Assessment  Review  Group." 

The  importance  of  this  statement  is  that  some  of  the  decisions  made 
during  the  review  of  the  Clinch  River  Breeder  Reactor  discussed  below 
may  require  further  review  and  modification. 

The  major  emphasis  on  safety  research  for  LMFBRs  has  been  on 
core  disruption  accidents  (CDAs)  because  of  their  potential  for  large 
energy  releases.  A  CDA  can  be  defined  as  an  accident  involving  loss 
of  core  coolable  geometry.  The  potential  for  large  energy  release 
stems  from  the  fact  that  LMFBR  cores  are  not  designed  to  be  in  their 
most  critical  configuration,  and  various  material  motions  and  compo¬ 
sition  changes  can  lead  to  large  reactivity  additions. 

The  two  accident  scenarios  receiving  the  most  attention  are  the 
transient  overpower  accident  (TOP)  and  the  loss  of  flow  (LOF) ,  both 
without  shutdown  by  any  means  available.  The  TOP  is  an  accident  in 
which  a  postulated  reactivity  insertion  causes  the  power  to  increase 
but  heat  removal  capability  is  assumed  to  remain  nominal.  The  LOF  is 
an  accident  in  which  the  heat  removal  capability  is  postulated  to  de¬ 
crease  while  the  power  generation  is  assumed  to  remain  nominal.  In 
both  cases,  the  reactor  is  unprotected,  i.e.,  the  plant  protection 
system  (PPS)  (shutdown  on  scram  system)  is  assumed  to  fail. 

Recently,  there  has  been  Interest  in  core  melt  accidents  initi¬ 
ating  from  the  shutdown  state.  Two  examples  are: 

o  The  loss  of  heat  sink  with  scram. 

t 

o  The  loss  of  cold  leg  piping  with  scram. 

The  most  recent  licensing  experience  for  an  LMFBR  that  may  re¬ 
semble  future  commercial  plant  experience  is  the  review  of  the  PSAR  for 


*A  distinction  is  sometimes  made  between  pressure  driven  dis 
assembly  and  a  slow  progression  of  melting.  In  this  Note  CDA  covers 
both. 

^This  is  applicable  to  loop- type  LMFBRs,  such  as  CRBR,  but  not 
to  pool- type  concepts. 
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the  Clinch  River  Breeder  Plant  (CREEP)  [23]-  Although  the  formal 
review  has  been  suspended  by  the  NRC,  certain  preliminary  but  re¬ 
levant  decisions  were  made  by  Iroth  the  applicant  and  the  regulatory 
agency . 

The  initial  PSAR  contained  two  designs  for  CREEP:  the  reference 
design  in  which  CDAs  were  not  considered  as  part  of  the  design  basis, 
and  the  parallel  design  (or  fallback  design)  in  which  systems  to 
accommodate  or  mitigate  CDAs  were  Included.  Subsequent  to  the  ini¬ 
tial  docketing  of  the  PSAR,  an  amendment  was  submitted  withdrawing 
the  parallel  design,  but,  "in  keeping  with  past  practice  of  first- 
of-a-kind  plants,  the  project  planned  to  incorporate  features  designed 
on  the  basis  of  accommodating  a  range  of  events  including  those  having 
an  exceedingly  low  probability  of  occurrence"  [23  1  •  Included  were 
plans  to  "incorporate  features  designed  to  mitigate  consequences  of 
accidents  from  loss  of  in-place  (core)  coolable  geometry  [23]* 

Before  suspending  formal  review  of  the  PSAR  for  CREEP,  the  NRC 

staff  issued  preliminary  comments  and  guidance  with  respect  to  the 

PSAR  for  CREEP  [24 J  •  Although  the  views  and  positions  of  the  NRC 

staff  were  intended  to  be  specifically  for  CREEP  and  not  intended  to 

establish  precedents  for  future  LMFBR  reviews,  they  are  important 

because  as  shown  [1]  they  parallel  the  proposed  criteria  for  LWR- 
A 

ATWS  acceptance. 


*It  should  be  noted  that  prior  to  the  suspension  of  the  licen¬ 
sing  review  for  CREEP,  the  applicant  was  in  the  process  of  appealing 
some  of  these  preliminary  decisions  reached  by  NRC. 
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